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- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
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1 )I3 Responsive to communication(s) filed on 28 March 2002 . 
2a)n This action is FINAL. 2b)S This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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4) ^ Claim(s) 1-18 is/are pending in the application. 
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6) 13 Claim(s) MM is/are rejected. 
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application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1. This action is responsive to the application filed on March 28, 2002. Claims 1-18 
are pending. Claihis 1-18 represent information technology incident response and 
investigation system and method. 



2. Claim Rejections - 35 USC §102 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent 
by another filed in the United States before the invention thereof by the applicant 
for patent, or on an international application by another who has fulfilled the 
requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before 
the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AlPA) and the Intellectual Property and High Technology Technical 
Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AlPA (pre-AlPA 35 U.S.C. 102(e)). 



3. Claims 1-5, 8-15 and 18 are rejected under 35 U.S.C. 102(e) as being 
unpatentable over Proctor U.S. 6,530,024. 
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Proctor teaches the invention as claimed including adaptive feedback security 
system and method. 

As to claim 1 , Proctor teaches a method of responding to an information 
technology related incident, comprising the steps of: 

Receiving a computer generated security alert indicative of prohibited activity 
transpiring between a first and a second networked computing device (column 14, lines 
55-57, Proctor discloses a security administrator can be alerted when a security incident 
is detected); 

Displaying the security alert on an incident response and investigation system for 
analysis by an administrator (column 6, lines 53-65, Proctor discloses the data collected 
is analyzed; column 14, lines 57-60, Proctor discloses the alert can be a warning 
flashing on a display screen of the administrator's terminal); 

Creating an electronic documentation of a potential computer network 
misconduct incident based on information contained in the security alert (column 14, 
lines 57-60, Proctor discloses the alert can be an e-mail message to the administrator); 

Opening an electronic investigation file to facilitate administration of an 
investigation of the potential computer network misconduct incident (column 2, lines 7- 
16, Proctor discloses an audit policy to define and identify activities to be audited); 

Collecting items of electronic evidence relating to the investigation of the 
potential computer network misconduct incident (column 2, lines 7-16, Proctor discloses 
the auditing include logging the occurrences of audited events, they are recorded in one 
or more event log files); and 

Maintaining the electronic evidence in electronic evidence in an electronic 
evidence database associated with the electronic investigation file (column 14, lines 62- 
63, Proctor discloses security incident reports can be logged on a local database). 



As to claim 2, Proctor teaches the method according to claim 1, further 
comprising the step of routing an investigation approval form at least one selected 
individual for the at least one individual to authorize or deny the investigation of the 
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incident (column 2, line 67 to column 3, lines 1-3, Proctor discloses alerts to an 
administrator can be provided such that the administrator can be asked to provide 
feedback or other input to control, monitor or approve the updating of the security 
procedure). 

As to claim 3, Proctor teaches the method according to claim 1 , wherein the 
security alert is generated in response to an action of an author, the author being 
anonymous (column 14, lines 65-57, Proctor discloses a security administrator can be 
alerted when a security incident is detected; column 12, lines 42-48, Proctor discloses 
the security policy can be updated for the identified users, and it can determine when a 
hacker is tapped into the system). 

As to claim 4, Proctor teaches the method according to claim 1 , further 
comprising the steps of establishing a set of criteria for security alert handling and 
acting upon the security alert based on the set of criteria (column 2, lines 34-41 , 
Proctor discloses the security policy may define criteria such as the number of 
unsuccessful logon attempts allowed before the system is shut down or a user's ID is 
invalidated, the aging of passwords, the size and type of passwords, the level of 
access granted to guest users). 

As to claim 5, Proctor teaches the method according to claim 4, wherein the step 
of acting upon the security alert is carried out by a computer system (column 16, lines 
19-26, Proctor discloses if a security alert is detected, alert manager is notified such 
that the administrator can be alerted and appropriate responses put into effect). 

As to claim 8, proctor teaches the method of claim 1, further comprising the step 
of alerting at least one person that an investigation file has been opened (figure 3; 
column 16, lines 43-51, Proctor discloses audit policy and collection policy to provide 
more frequent audits of the activities associated with target 104A, alert manager may 
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notify target manager upon detection of a security occurrence that tlie security 
procedures need to be updated). 

As to claim 9, Proctor teaches the method according to claim 1 , further 
comprising the steps of storing a collection of security policies and support guidelines 
in a database and referring to the policies and guidelines when documenting the 
incident and administering to the investigation of the incident (column 14, lines 18-31, 
Proctor discloses an audit policy includes a collection policy, and audit policy, a 
security policy, and audit agent and a local event log. The audit agent monitors and 
collects events and activities occurring in the network computing environment and 
stores records of these events and activities on local event log). 

As to claim 10, Proctor teaches an information technology incident response and 
investigation system comprising: 

An incoming security alert administration means for receiving a computer 
generated security alert indicative of prohibited activity transpiring between a first and a 
second networked computing device (column 14, lines 55-57, Proctor discloses a 
security administrator can be alerted when a security incident is detected); 

A display for displaying the security alert for analysis by an administrator (column 
6, lines 53-65, Proctor discloses the data collected is analyzed; column 14, lines 57-60, 
Proctor discloses the alert can be a warning flashing on a display screen of the 
administrator's terminal); 

An incident administration means for creating an electronic incident file to 
determine a potential computer network misconduct incident based on information 
contained in the security alert column 14, lines 57-60, Proctor discloses the alert can be 
an e-mail message to the administrator); and 

An investigation administration means for opening an electronic investigation file 
to facilitate administration of an investigation of the potential computer network 
misconduct incident documented in the incident file (column 2, lines 7-16, Proctor 
discloses an audit policy to define and identify activities to be audited); 
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As to claim 1 1 , Proctor teaches the system according to claim 1 0, wherein the 
security alert is generated in response to an action of an author, the author being 
anonymous (column 14, lines 55-57, Proctor discloses a security administrator can be 
alerted when a security incident is detected; column 12, lines 42-48, Proctor discloses 
the security policy can be updated for the identified users, and it can determine when a 
hacker is tapped into the system). 

As to claim 12, Proctor teaches the system according to claim 10, wherein the 
security alert is generated by an information technology security device or software tool 
(figure 9, item 104A). 

As to claim 13, Proctor teaches the system according to claim 10, further 
comprising an information technology policy administration means for storing a 
collection of security policies and support guidelines in a database, the policies and 
guidelines accessible from the incident administration means and the investigation 
administration means (column 14, lines 18-31, Proctor discloses an audit policy 
includes a collection policy, and audit policy, a security policy, and audit agent and a 
local event log. The audit agent monitors and collects events and activities occurring in 
the network computing environment and stores records of these events and activities 
on local event log). 

As to claim 14, Proctor teaches the system according to claim 10, wherein the 
investigation administration means includes an electronic authorization means to 
approve an opening of an investigation file (column 2, line 67 to column 3, lines 1-3, 
Proctor discloses alerts to an administrator can be provided such that the administrator 
can be asked to provide feedback or other input to control, monitor or approve the 
updating of the security procedure). 
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As to claim 15, Proctor teaches the system according to claim 10, wherein the 
investigation administration means includes an electronic evidence database means 
associated with the electronic investigation file for maintaining items of electronic 
evidence relating to the investigation of the potential computer network misconduct 
incident (column 2, lines 7-16, Proctor discloses an audit policy to define and identify 
activities to be audited, and the auditing includes logging the occurrences of audited 
events, they are recorded in one or more event log files). 

As to claim 18, proctor teaches the method of claim 10, further comprising an 
investigation alerting tool for alerting at least one person that an investigation file has 
been opened (figure 3; column 16, lines 43-51, Proctor discloses audit policy and 
collection policy to provide more frequent audits of the activities associated with target 
104A, alert manager may notify target manager upon detection of a security 
occurrence that the security procedures need to be updated). 



4. Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 
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5. Claims 6 and 16 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Proctor U.S. 6.530,024 in view of Serbinis et al U.S. 6,584,466. 

Proctor teaches the invention substantially as claimed including adaptive 
feedback security system and method. 

As to claim 6, Proctor teaches the method according to claim 1 . 

Proctor fails to teach explicitly digitally notarizing at least one item of electronic 
evidence contained in the electronic evidence database. 

However, applicants admitted digital notarization techniques are know in the art 
in the specification. Serbinis teaches Internet document management system and 
method. Serbinis teaches digital notarization (column 8. lines 31-44). Applicant 
admitted digital notarization technique are know in the art in the specification. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Proctor in view of Serbinis to provide digitally notarizing at least one 
item of electronic evidence contained in the electronic evidence database. One would 
be motivated to do so to allow increasing confidence and prohibits tampering in order 
to protect validity of documents. 

As to claim 16, Proctor teaches the system according to claim 15. 

Proctor fails to teach explicitly digitally notarizing at least one item of electronic 
evidence contained in the electronic evidence database. 

However, applicants admitted digital notarization techniques are know in the art 
in the specification. Serbinis teaches Internet document management system and 
method. Serbinis teaches digital notarization (column 8, lines 31-44). Applicant 
admitted digital notarization technique are know in the art in the specification. 



Application/Control Number: 10/089,492 
Art Unit: 2157 



Page 9 



It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Proctor in view of Serbinis to provide digitally notarizing at least one 
item of electronic evidence contained in the electronic evidence database. One would 
be motivated to do so to allow increasing confidence and prohibits tampering in order 
to protect validity of documents. 

6. Claims 7 and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Proctor U.S. 6.530.024 in view of Kikinis U.S. 6.785.710. 

Proctor teaches the invention substantially as claimed including adaptive 
feedback security system and method. 



As to claim 7, Proctor teaches the method of claim 1 . 

Proctor fails to teach explicitly searching a selected electronic mail file for at least 
one specified word and storing the electronic mail file in the electronic evidence 
database if the at least one specified word is present in the electronic mail file. 

However, Kikinis teaches e-mail client with programmable address attributes. 
Kikinis teaches searching a selected electronic mail file for at least one specified word 
(column 2, lines 61-66, Kikinis discloses reviewing the received e-mail message for 
words for comparison to prestored words; see abstract). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Proctor in view of Kikinis to provide searching a selected electronic 
mail file for at least one specified word and storing the electronic mail file in the 
electronic evidence database if the at least one specified word is present in the 
electronic mail file. One would be motivated to do so to allow preventing bad alerts. 
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As to claim 17, Proctor teaches the system according to claim 10. 

Proctor fails to teach explicitly the investigation administration means includes an 
electronic mail search tool for searching a selected electronic mail file for at least one 
specified word and storing the electronic mail file in the electronic evidence database if 
the at least one specified word is present in the electronic mail file. 

However, Kiklnis teaches e-mail client with programmable address attributes. 
Kikinis teaches the investigation administration means includes an electronic mail 
search tool for searching a selected electronic mail file for at least one specified word 
(column 2, lines 61-66, Kikinis discloses reviewing the received e-mail message for 
words for comparison to prestored words; see abstract). 

it would have been obvious to one of ordinary skill in the art at the time of the 
invention to modify Proctor in view of Kikinis to provide the investigation administration 
means includes an electronic mail search tool for searching a selected electronic mail 
file for at least one specified word and storing the electronic mail file in the electronic 
evidence database if the at least one specified word is present in the electronic mail file. 
One would be motivated to do so to allow preventing bad alerts. 

7. Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to El Hadji M Sail whose telephone number is 571-272- 
4010. The examiner can normally be reached on 8:00-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Etienne can be reached on 571-272-4001 . The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-4010. 

Infomiation regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
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published applications may be obtained from either Private PAIR or Public PAIR. 
Status infonnation for unpublished applications is available through Private PAIR only. 
For more infomiation about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

El Hadji Sail 
Patent Examiner 
Art Unit: 2157 





